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DETAILED ACTION 
Continued Examination Under 37 CFR LI 14 

1 . A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR LI 7(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.1 14, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on 1 1 October 2007 has been entered. 

2. Claims 1-28 have been presented for examination. 

Response to Arguments 

3. Applicant's arguments, see page 13, filed 1 1 October 2007, with respect to the 
specification have been fully considered and are persuasive. The objection of the specification 
has been withdrawn. 

4. Applicant's arguments, see page 13, filed 1 1 October 2007, with respect to claims 1 8-23 
have been fully considered and are persuasive. The 35 U.S.C. 101 rejection of the claims 18-23 
has been withdrawn. 

5. Applicant's arguments with respect to the prior art rejection of claims 1-28 have been 
considered but are moot in view of the new grounds of rejection. 

Claim Objections 

6. Claims 1-13 and 18-24 are objected to because of the following informalities: Claims 1, 
18 and 24 recite: 

if the second client node is determined to not be authenticated to communicate over the 
first logical subinterface's dedicated network or subnetwork, preventing the second 
received data packet from being forwarded over the first logical subinterface's dedicated 
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network of subnetwork, while still allowing data packets from the first client node to be 
forwarded if the first client node is determined to be authenticated. 

For purposes of examination the Examiner shall interpret the claim language as: 

if the second client node is determined to not be authenticated to communicate over the 
first logical subinterface's dedicated network or subnetwork, preventing the second 
received data packet from being forwarded over the first logical subinterface's dedicated 
network or subnetwork, while still allowing data packets from the first client node to be 
forwarded if the first client node is determined to be authenticated. 

Appropriate correction is required. 

7. Claims 25-28 are objected to because of the following informalities: Claims 1, 18 and 24 
recite: 

wherein the media access control (MAC) filter grants client nodes access on a basis client 
by client basis 

For purposes of examination the Examiner shall interpret the claim language as: 

wherein the media access control (MAC) filter grants client nodes access on a client by 
client basis 

Appropriate correction is required. 

8. Applicant is advised that should claims 3 and 4 be found allowable, claim 27 and 28 will 
be objected to under 37 CFR 1.75 as being a substantial duplicate thereof. When two claims in 
an application are duplicates or else are so close in content that they both cover the same thing, 
despite a slight difference in wording, it is proper after allowing one claim to object to the other 
as being a substantial duplicate of the allowed claim. See MPEP § 706.03(k). 

Claim Rejections - 35 USC §102 

9. The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 
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10. Claims 1-5, 8, 9, 11, 14, 15, 17-19, and 21-28 are rejected under 35 U.S.C. 102(e) as 
being anticipated by U.S. Patent Application Publication No. 2005/0055570 Al to Kwan et al., 
hereinafter Kwan. 

11. As per claims 1 , 14, 1 8, and 24, Kwan teaches a method, an intermediate node, an 
apparatus, and a computer-readable medium for implementing port-based network access control 
at a shared media port in an intermediate node, the shard media port being coupled to a plurality 
of client nodes, the method comprising: 

partitioning the shared media port into a plurality of logical subinterfaces (paragraph 
0006, i.e. one or more computing devices are coupled to a single port), each logical subinterface 
dedicated to providing access to a different network or subnetwork accessible through the 
intermediate node (paragraphs 0009,0010, i.e. assigning a port to dynamic VLANs); 

receiving a data packet at the shared media port from a first client node (paragraphs 0032, 
0034, i.e. receiving data packets or frames to be channeled to the appropriate network); 

associating the received data packet with a first logical subinterface in the plurality of 
logical subinterfaces (paragraphs 0032, 0034, i.e. associating the received packet or frame with 
an appropriate output port based on the destination address); 

determining whether the first client node is authenticated to communicate over the first 
logical subinterface's dedicated network or subnetwork (paragraph 0028, i.e. authenticating the 
MAC address of the user device, authenticating the user according to 802. IX, and authenticating 
whether the user is able to access the particular port based on a particular user policy); 

if the first client node is determined to be authenticated to communicate over the first 
logical subinterface's dedicated network or subnetwork, forwarding the received data packet over 
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the first logical subinterface's dedicated network or subnetwork (Figures 3 [block 324], 5 [block 
532], paragraphs 0015, 0043, 0073); 

receiving a second data packet at the shard media port from a second client node 
(paragraphs 0032, 0034, i.e. receiving data packets or frames is the same for the first user as it is 
for the n ih user); 

associating the second received data packet with the first logical subinterface (paragraphs 
0032, 0034, i.e. associating the received packet or frame is the same for the first user as it is for 
the n ih user); 

determining whether the second client node is authenticated to communicate over the first 
logical subinterface's dedicated network or subnetwork (paragraph 0028, i.e. the three types of 
authentication disclosed in Kwan are the same for the first user and every user thereafter); and 

if the second client node is determined to not be authenticated to communicate over the 
first logical subinterface's dedicated network or subnetwork, preventing the second received data 
packet from being forwarded over the first logical subinterface's dedicated network or 
subnetwork (Figures 3 [blocks 308, 314, 318, 322], 5 [blocks 518, 522, 526, 530], paragraphs 
0039, 0041-0043, 0068, 0075, 0076), while still allowing data packets from the first client node 
to be forwarded if the first client node is determined to be authenticated (paragraph 0081, i.e. 
network access device 602 can selectively accept packets from user devices having valid MAC 
addresses while dropping packets from user devices having invalid MAC addresses). 

12. Regarding claim 2, Kwan teaches performing at least one of dropping the received data 
packet (Figure 3 [block 308]) or reclassifying the received data packet to a different logical 
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subinterface (paragraph 0039), if the first client node is determined not to be authenticated to 
communicate over the first logical subinterface's dedicated network or subnetwork (paragraph 
0039). 

13. Regarding claims 3 and 27, Kwan teaches wherein the first logical subinterface's 
dedicated network or subnetwork is a virtual private network (VPN) (pargraphs 0010-001 1, i.e. 
VLANs). 

14. Regarding claims 4 and 28, Kwan teaches wherein a logical subinterface in the plurality 
of logical subinterfaces is dedicated to providing access to the Internet (paragraph 0010, 0032, 
and 0035, i.e. Kwan's disclosure of the OSI model and Voice Over IP both imply that 
communication and data access is being made to the Internet). 

15. Regarding claims 5, 1 7, and 1 9, Kwan teaches wherein the step of determining whether 
the first client node is authenticated to communicate over the first logical subinterface's 
dedicated network or subnetwork further comprises: 

parsing a source media access control (MAC) address from the received data packet 
(Figure 3 [block 304], paragraphs 0039, 0046-0049); 

comparing MAC address and 802. IX formats with stored known Ethernet and 
authentication packet types (Figure 3 [block 306], paragraphs 0039, 0046); 

identifying an authentication state stored in the indexed MAC-filter entry (paragraphs 
0012, 0039, 0046, i.e. determining if the MAC address are seucre); and 
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determining whether the first client node is authenticated to communicate over the first 
logical subinterface's dedicated network or subnetwork based on the stored authentication state 
stored in the indexed MAC-filter entry (Figure 3 [block 310], paragraphs 0040). 

16. Regarding claims 8 and 21, Kwan teaches wherein the step of associating the received 
data packet with the first logical subinterface, further comprises locating an entry in a routing 
table configured to store routing information associated with the received data packet; and 
associating the received data packet with the first logical subinterface based on the contents of 
the routing-table entry (paragraphs 0034, 0039). 

17. Regarding claims 9, 15, and 22, Kwan teaches receiving an authentication request from 
the first client node at the shared media port (Figure 4, paragraph 0050); 

in response to receiving the authentication request, creating a MAC filter associated with 
the shared media port if the MAC filter has not already been created (paragraphs 0055-0057, i.e. 
learn secure MAC addresses); 

copying a source MAC address stored in the received authentication request into an 
appropriate entry in the MAC filter (paragraphs 0055-0057, i.e. storing a list of the secure MAC 
addresses); 

forwarding the received authentication request to an authentication service (paragraphs 
0055-0057, 0070-0076); 

receiving a response from the authentication service, the response identifying an 
authentication state associated with the first client node (paragraphs 0055-0057, 0070-0076); and 
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storing the authentication state into the same MAC filter entry into which the source 
MAC address was copied (paragraphs 0055-0057, , 0070-0076, i.e. storing a list of the secure 
MAC addresses). 

18. With regards to claims 1 1 and 23, Kwan teaches wherein the received authentication 
request is an 802.1X authentication request (Figure 5, paragraphs 0028, 0066-0069). 

19. As per claim 25, Kwan teaches an apparatus comprising: 

a shared media port (paragraph 0006, i.e. one or more computing devices are coupled to a 
single port) having a trusted subinterface configured to provide access to a trusted network or 
subnetwork (Figures 3 [block 324], 5 [block 532], paragraph 0015, 0043, 0073) and an untrusted 
subinterface configured to provide access to an untrusted network or subnetwork (paragraphs 
001 5, 001 6, 0039, i.e. unauthenticated packets or frames are redirected to another network 
destination); 

an authenticator configured to receive authentication requests from a plurality of client 
nodes and in response the authentication requests to independently assign to each of the plurality 
of client nodes an authentication state (Figures 3 [block 324], 5 [block 532], paragraph 0015, 
0043, 0060, 0073); 

a media access control (MAC) filter (paragraph 0064) configured to maintain an entry for 
each client node indicating the authentication state of the client node and a MAC address of the 
client node, and in response to receipt of a data packet from a particular client node directed to 
the trusted subinterface, to index to an entry of the MAC filter based on a source MAC address 
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of the data packet, to identify the authentication state of the particular client node stored in the 
indexed MAC-filter entry, and to determine whether the particular client node is authenticated to 
communicate over the trusted subinterface, and if so, to permit the particular client node to 
access the trusted subinterface (paragraphs 0039-0044, 0064), 

wherein the media access control (MAC) filter grants client nodes access on a client by 
client basis (paragraph 0081, i.e. network access device 602 can selectively accept packets from 
user devices having valid MAC addresses while dropping packets from user devices having 
invalid MAC addresses). 

20. Regarding claim 26, Kwan teaches wherein the MAC filter is further configured to 
redirect a data packet of the particular client node form the trusted subinterface to the untrusted 
subitnerface if the particular client node is not authenticated to communicate over the trusted 
subinterface (paragraphs 0015, 0016, 0039, i.e. packets or frames are redirected to another 
network destination). 

Claim Rejections - 35 USC §103 

21 . The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 

22. Claims 6 and 10 are rejected under 35 U.S.C. 103(a) as being unpatentable over Kwan in 
view of U.S. Patent Application Publication No. 2005/0177865 to Ng et al., hereinafter Ng. 

23. With regards to claim 6, Kwan does not teach wherein the MAC filter is organized as a 
hash table. 



Application/Control Number: 1 0/728,302 Page 1 0 

Art Unit: 2131 

24. Ng discloses wherein the state information has been stored using a hash function 
(paragraph [0080]). 

25. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to organize the MAC filter as a hash table, since one of ordinary skill in the art would 
recognize that the MAC addresses were being used as authentication means it would be 
necessary to store the address in a protected format, similar to how Unix systems store user 
passwords in a hashed filed, to prevent unauthorized users from acquiring the MAC addresses if 
the intermediate node was ever compromised. 

26. With regards to claim 10, Kwan teaches indexing an entry in the MAC filter and storing 
the MAC address at the filter entry (paragraphs 0055-0057, i.e. storing a list of secure MAC 
addresses). 

27. Kwan does not teach wherein the MAC address are hashed prior to being indexed. 

28. Ng discloses wherein the state information has been stored using a hash function 
(paragraph [0080]). 

29. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to organize the MAC filter as a hash table, since one of ordinary skill in the art would 
recognize that the MAC addresses were being used as authentication means it would be 
necessary to store the address in a protected format, similar to how Unix systems store user 
passwords in a hashed filed, to prevent unauthorized users from acquiring the MAC addresses if 
the intermediate node was ever compromised. 
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30. Claims 7, 16, and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Kwan in view of U.S. Patent Application No. 2004/0208151 to Haverinen et al, hereinafter 
Haverinen. 

3 1 . Regarding claims 7, 16, and 20, Kwan teaches parsing a destination address from the 
received data packet (paragraphs 0032, 0034); 

comparing the parsed destination address to one or more addresses stored in a filter 
associated with the shared media port (paragraphs 0032, 0034); and 

if the parsed destination address matches an address stored in the filter, forwarding the 
received data packet over the first logical subinterface's dedicated network or subnetwork, even 
if the first client node is determined not to be authenticated to communicate over that network or 
subnetwork (paragraphs 0032, 0034). 

32. Kwan does not teach wherein the destination address is an IP address. 

33. Haverinen discloses using an IP address to authentication data (paragraph 0029). 

34. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to perform an open systems authentication protocol using the destination IP address, 
since Haverinen states at paragraph [0004] that using an open systems authentication protocol, 
specifically one focused on the third layer of the OSI model, allows wireless users to authenticate 
and access network resources, thereby allowing users the freedom to access network resource 
whenever and where ever they would like. This is further supported by paragraph 0034 of 
Kwan, which includes the option for layer 3 and network layer functions of the OSI model. 
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35. Claim 12 is rejected under 35 U.S.C. 103(a) as being unpatentable over Kwan in view of 
U.S. Patent No. 6,891,819 to Inoue et al, hereinafter Inoue. 

36. With regards to claim 12, Kwan does not teach sending an alarm message over the first 
logical subinterface's dedicated network or subnetwork after the first client node fails to 
authenticate at the shared media port a predetermined number of times. 

37. Inoue discloses tracking the number of times a user has failed authentication and 
providing an indication that said account has failed authentication a predetermined number of 
times (Figures 12-14, 18 and 19, column 12, lines 45-67, column 13, lines 22-46, column 17, 
lines 53-59). 

38. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to send an alarm message over the first logical subinterface's dedicated network or 
subnetwork after the first client node fails to authenticate at the shared media port a 
predetermined number of times, since Inoue states at column 3, lines, 1-6 that tracking the 
number an authentication fails helps to prevent the improper acquisition of user or network 
information since reaching the threshold of improper authorization attempts is a clear indicator 
that the user account or mobile system has been compromised. 

39. Claim 13 is rejected under 35 U.S.C. 103(a) as being unpatentable over Kwan in view of 
U.S. Patent Application Publication No. 2004/0158735 to Roese, hereinafter Roese. 

40. With regards to claim 13, Kwan does not teach sending an alarm message over the first 
logical subinterface's dedicated network or subnetwork after the first client node's authentication 
state changes from an authenticated state to an unauthenticated or unknown state. 
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41 . Roese teaches sending an alarm message over the first logical subinterface's dedicated 
network or subnetwork after the first client node's authentication state changes from an 
authenticated state to an unauthenticated or unknown state (paragraph [0029], i.e. tracking state 
changes via a tracking function). 

42. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to send an alarm message over the first logical subinterface's dedicated network or 
subnetwork after the first client node's authentication state changes from an authenticated state to 
an unauthenticated or unknown state, since one of ordinary skill in the art would recognize that it 
would serve as an alert to an administrator that potential malicious behavior is occuring. 

Conclusion 

43. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Christian La Forgia whose telephone number is (571) 272-3792. 
The examiner can normally be reached on Monday thru Thursday 7-5. 

44. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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45. Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Christian LaForgia 
Patent Examiner > 
Art Unit 2131 / 



